Coming Clean: Getting a Handle on Permissions and Group Memberships

Sorting through legacy permissions can seem daunting; these suggestions will help you manage the project.

by David Rowe

It’s a problem familiar to most organizations: after years of granting permissions to users and groups, it’s nearly impossible to know who has access to what. The daunting task of cleaning up legacy permissions and ensuring that each employee is assigned the appropriate permissions hangs like a dark cloud over the heads of IT administrators.

Based on the number of users and groups or the size of the environment, it may feel impossible to sort through it all, but the stakes are high so the effort is worth it. The following tips and suggestions will help you better manage your project.

As today’s enterprises continue to make it easier for their employees, customers, partners, and other constituencies to interact with information, it’s more important than ever to put effective mechanisms in place so that people are granted appropriate permissions and that sensitive information isn’t abused or exposed. With the pace of change in the employee base in many of today’s organizations, including layoffs and the frequent use of contract employees and consultants, the risk to enterprise security has never been higher.

Incidents of unauthorized users gaining access to corporate assets are on the rise, underscoring the need for greater control over permissions. Ensuring that users have the correct access privileges when their status in a company changes is crucial to maintaining control and security, and to preventing breaches from ever occurring.

The First Steps to Regaining Control

The following key starting points for administrators can help you begin to get control of your existing permissions.

Eliminate Direct User Accounts: We've all heard the best-practice guidelines. Permission to files and folders should be granted via group memberships and not directly to users. Despite their best intentions, IT administrators often grant permissions directly to user accounts to save time. In an ideal world, this would only be done as an exception and for a good reason. In reality, it's done often and without cause. The first step toward regaining control is to identify all direct user assignments across servers and reassign their permissions to the appropriate groups.

Remove Dormant Accounts: Dormant accounts are user accounts that have not been used for a significant period of time (significant being a subjective measure that is highly variable based on the nature of the job and/or organization). For some accounts, such as factory workers who log on for human resources or benefits purposes, six months of non-use may be normal. The key is to understand one’s specific environment and apply the logic as appropriate. No matter what inputs are used, dormant accounts can be an indicator of risk and need to be addressed.

Review Groups with No Members: An Active Directory Security Group with no members is often an easy choice for cleanup. In addition to eliminating the potential risk that these groups may be used incorrectly, unused groups may add to the clutter and confusion about the group cleanup initiative.

Groups with Fewer than a Certain Number of Members: Once groups with zero members have been eliminated, the next step is to identify groups with a few members. This list of groups can provide a starting point for identifying target areas for consolidation. The groups with the fewest members will be easiest to eliminate by verifying the rights assigned to the group and identifying other groups through which its members can be re-assigned permissions.

Identify Users with No Groups: On the flip side of groups with no members, identify any users that have no group memberships. This may indicate a problem. It could be useful simply to help you identify types of users that do not require group memberships that previously seemed mandatory. In other instances, it could indicate a failure in the rights provisioning process.

Consolidate Groups with Few Permission Assignments: Groups with few assigned permissions are another easy target for consolidation. If the group is not being used to grant or deny rights in more than a few instances, there's a chance that the group could be eliminated or consolidated. Of course, the results of this report need to be compared with reports on what other groups have been granted rights to the resources in question to see if the user accounts overlap or if the permissions could already be granted elsewhere.

Automating the Process

One of the most effective ways to deal with cleaning up and managing permissions is to minimize or eliminate as many manual processes as possible. Although there are tasks that will always require hands-on IT interventions, many of the steps involved with permissions are suitable for automation.

Today, there are access-rights monitoring and reporting tools that can streamline managing permissions across the enterprise. These tools enable administrators to view and report on permissions for any set or subset of resources. They can also perform calculations to determine which users can view which resources and list how those permissions are granted, a critical function because knowing where access rights are granted or denied is an important component of access control.

If you are considering investing in an access rights reporting and monitoring solution, note if the solution offers the following reporting capabilities:

  • Effective Rights: Lists calculated rights accounting for group memberships, inheritance, direct assignments, and other factors; reporting will show where the rights came from
  • Explicit Rights: Shows individual permission assignments
  • Direct User Assignments: Reports the instances where a user account has been granted access directly to a resource
  • Deny Entries: Reports the instances of explicitly denied permissions
  • Group Membership: Shows group membership assignments

As technology continues to advance, the security risks that IT must guard against continue to grow. Cleaning up permissions is a critical part of securing the enterprise, despite the arduous nature of the effort if done manually. An alternative option to consider is an access rights monitoring and reporting solution that can automate the cleanup process, which can enhance security and lead to greater productivity and operational efficiency.

David Rowe is the CEO of NetVision, a company providing compliance and control solutions for enterprise access auditing. You can contact the author at

Must Read Articles